Account Lockout Audit

Posted on 2011-10-10
Last Modified: 2012-05-12
I have a user that keep locking out in active directory
i used with the microsoft tools but no helpuel.
i configured audit policy via gpo in the domain controller level policy as follow:

Audit account logon events:  Success,Failure
Audit Account manament       Success,Failure
Audit Directory Service Access  Sucess
Audit Logon events               Success,Failure
Audit object Access                Success,Failure
Audit policy change                 Sucess
Audit Previlege use                 No auditing
Audit Process Tracking            No auditing
Audit System Events                Sucess

But again
When im trying to lock my username i cant find the audit that says account locked out

i have 3 domain controllers.



Question by:Senx
    LVL 76

    Expert Comment

    you need to get the altools.exe
    You should see a security event on combination of DC's that locks the user out because of credential mismatch.

    I.e. the user changed password, but is resuming a remote session that continuously runs in a terminal server.
    The user has shared resources mapped with the old password control keymgr.dll.
    The tool will let you locate the source from which this user's credentials are being submitted.

    Author Comment

    thanks fot your answer

    i figure out with altools what machine locked me out

    but i checked for sevices and schedualed tasks if there anything that ran on my account but non of them used my account

    there is any ideas what can lock my account.?
    LVL 76

    Expert Comment

    Failed attempts to access resources using outdated credentials is the only thing.
    When you say,  "i figure out with altools what machine locked me out" do you mean you found the system from which the failed requests were being made or are you talking about the DC that actually locked the account?
    The DC is not the cause for the lockout it is a consequence of failed authentication attempts that were received by it.
    You need to determine the system from which your username with the wrong password were being used and why.  Is that system a terminal server? Does your last password change correspond to when your account began to be locked out?  Do you have a laptop that is always on (hibernate) that you take with you and then connect into the LAN where you still use your old password to unlock/login into the laptop? If so, this is the source of your issue.

    Author Comment

    Thank you for your answer

    yes i mean i found the system from which the failed requests being made .

    the system is not a terminal server
    xp sp3
    not a laptop
    LVL 76

    Accepted Solution

    Part of the ALTools there is an XP subfolder that deals with setting up/adding a DLL and registering in order to determine the cause/source on the XP for the many requests

    Featured Post

    How does your email signature look on mobiles?

    Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

    Join & Write a Comment

    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now